CPSA Import Flashcards
CPSA Import
1
Q
What is a passive OS fingerprinting technique
A
Monitoring network traffic using tools such as Wireshark for information re: the OS, also using p0f which is a tool that listens to network traffic and fingerprints OS based on characteristics of the packets
2
Q
What is an active OS fingerprinting method
A
Using a port scanner like nmap
3
Q
nmap flag to get OS details of target
A
-O for Operating System details
4
Q
What is banner grabbing
A
A technique where attackers identify infrastructure details from headers, scans, etc.
5
Q
How can we get application versions from a network
A
We can use a nmap scan with flag -sV to enable version detection
6
Q
How can we get server types from banners
A
a cURL -I request will show the response headers which often includes a Server header, e.g: Server: Apache/2.4.41 (Ubuntu)
7
Q
What is the difference between encryption and encoding
A
Encryption requires a secret key to be decrypted and is not reversible without it, whereas encoding means it uses a predefined scheme to convert data from one form to another with no key such as base64
8
Q
What is encryption
A
Encryption involves using an algorithm and a key to transform plaintext into ciphertext. The process is reversible only if the correct decryption key is used
9
Q
What is encoding
A
Encoding uses a predefined scheme to convert data from one form to another. The process is reversible without the need for a key\
10
Q
What are the key factors that change between encoding and encryption
A
There are differences in reversiblity and levels of security
11
Q
What are examples of encryption
A
RSA, AES
12
Q
What are examples of encoding
A
Base64, ASCII, URL encoding
13
Q
What is a hash
A
A hash is a cryptographic function that takes an input and returns a fixed size string of bytes, the same input will always produce the same output, known as a “digest”
14
Q
What are the two most known hashes
A
MD5 and SHA1
15
Q
Are MD5 and SHA1 considered secure
A
MD5 and SHA1 are considered insecure and unsuitable for most applications
16
Q
Bit length of MD5
A
128-bit hash
17
Q
What was MD5 designed for
A
MD5 was designed to be a cryptographic hash function used for integrity checking, digital signatures, etc
18
Q
Why is MD5 considered insecure
A
Due to collision vulnerabilities, researchers found that MD5 is susceptible to collision attacks where two DIFFERENT inputs result in the same hash output
19
Q
What is a collision vulnerability
A
Where two different inputs result in the same hash output
20
Q
What is the real world risk of collision vulnerabilities in hashing
A
Being exploited in attacks such as creating malicious certificates that appear legitimate as they have the same MD5 hash as a trusted certificate
21
Q
What is SHA1 bit size
A
160-bit hash
22
Q
What was SHA1 designed for
A
Used to be widely used in cryptographic applications, including SSL/TLS certificates, file integrity validation
23
Q
Why is SHA1 considered insecure
A
SHA1 is considered insecure as researchers demonstrated that two outputs can produce the same hash output
24
Q
Is SHA1 considered secure
A
SHA1 is considered
25
Is SHA1 exploitable/breakable
SHA1 is breakable as the cost and time required to generate SHA1 collisions have been decreaasing, making it feasible for well-funded attackers to break SHA1
26
NIST advice for SHA1
NIST advices against using SHA1 in favour of stronger algorithms like SHA256 or SHA3
27
What is HMAC
Type of Message Authentication Code that uses a cryptographic hash function along with a secret key to provide data integrity and authenticity, the secret key is only known by the sender and the recipient
28
What does MAC in HMAC stand for
Message Authentication Code
29
What does a HMAC do
It verifies that the payload has not been tampered with, like a JWT signature being verified
30
What is the OSI Model
The OSI Model is a reference model that enables the communication of different technical systems via various devices and technologies and provides compatibility
31
What are the layers of the OSI Model (in order)
Physical, Data Link, Network, Transport, Session, Presentation, Application
32
What are the layers of the TCP/IP Model
Link, Internet, Transport, Application
33
What is Layer 3 of the OSI Model and what does it do
L3 layer is the Network layer and it is where data packets are transferred from node to node until they reach their destination
34
In the postal/mail example of Network, what is the IPv4/IPv6
It is the unique postal address and suburb of the receiver's building
35
In the postal/mail example of Network, what is the MAC Address
It is the exact floor and apartment of the receiver
36
How many bit groups are in an IPv4
8 bit groups
37
How many binary numbers in a IPv4 Address
32
38
What is the number convention of each bit in the IPv4 Address (descending order)
128, 64, 32, 16, 8, 4, 2, 1
39
What is the Subnet Mask
Describes which bit positions within the address are the network part and the host part
40
Can the bits of the subnet mask reflected in an IPv4 Address ever change (255.255.0.0) can 192.168 part of 192.168.24.2 ever change, and give explanation
No, if the subnet mask is 255. that entire section of the IPv4 Address cannot change, if it is something like 192, we have to write out the 8 bit binary notation of that subnet mask (from either the CIDR or the subnet mask) and the bits with 1 can not change
41
Wht is CIDR
Classless Inter-Domain Routing is a method of representing the subnet mask in a suffix form
42
Give an example of a CIDR suffix and which parts of the IPv4 can and cannot change due to the subnet mask/CIDR suffix
/26 would be 26 (1) in the subnet mask, which is = 255.255.255.192 would be 1111 1111 . 1111 1111 . 1111 1111 . 1100 0000 so the last 6 digits can be changed, we can find the first and last IP's of that IP subnet with this information
43
What is IPv6 and how many bits in length
IPv6 is the successor of IPv4 and is 128 bits in length
44
How many blocks is a IPv6 address
8 blocks of 16 bits each (4 hex numbers)
45
How can a IPv6 Address be shortened
If the entire block is 0000 we can get rid of that and replace with double colomn (::)
46
TCP Telnet
23
47
TCP SSH
22
48
TCP SNMP
161
49
TCP HTTP
80
50
TCP HTTPS
443
51
TCP DNS
53
52
TCP FTP
20-21
53
TCP TFTP
69
54
TCP NTP
123
55
TCP SMTP
25
56
TCP SMB
445
57
TCP RDP
3,389
58
TCP LDAP
389
59
TCP ICMP
0-255
60
23
Telnet
61
22
SSH
62
161
SNMP
63
80
HTTP
64
443
HTTPS
65
53 TCP
DNS
66
69
TFTP
67
123
NTP
68
25
SMTP
69
MySQL
3306
70
3306
MySQL
71
DHCP
67
72
67
DHCP
73
What is UDP
UDP is a connectionless protocol which means it does not establish a virtual connection before transmitting data, instead it sends data packets and does not check to see if they were received
74
What is an example of UDP
Video streaming, online gaming
75
What does UDP stand for
User Datagram Protocol
76
What is TCP
TCP is a connection-based protocol that establishes a virtual connection between two devices before transmitting data via a Three-Way handshake, as a result TCP is slower than UDP
77
What is the negative of TCP
It is slower than UDP due to the Three-Way Handshake
78
What does TCP stand for
Transmission Control Protocol
79
What is ICMP
ICMP is used by devices to communicate with each other on the Internet such as ping request, which tests connectivity between devices
80
What does ICMP stand for
Internet Control Message Protocol
81
What is symmetric encryption
A method that uses the same key to encrypt and decrypt the data, meaning the sender and receiver must have the same key to decrypt the data
82
What are examples of symmetric encryiption
AES and DES
83
What does AES stand for
Advanced Encryption Standard
84
What does DES stand for
Data Encryption Standard
85
What is considered to be the most secure encryption algorithm nowadays
AES
86
What is asymmetric encryption
Is a method of encryption that uses two different keys, a public key and a private key. The public key is used to encrypt data and anyone can access it but only the recipient has the private key who can decrypt the data
87
What are examples of asymmetric encryption
RSA, PGP, ECC
88
What does RSA stand for
Rivest-Shamir-Adleman
89
What does PGP stand for
Pretty Good Privacy
90
What does ECC stand for
Elliptic Curve Cryptography
91
What is 3DES
3DES is an extension of DES which encrypts data more securely, the procedure for this usually consists of three keys
92
Which is faster AES or DES and why
AES is faster than DES due to its more efficient algorithm structure, as it can be applied to multiple data blocks at once making it faster
93
What does IKE stand for
Internet Key Exchange
94
What is Diffie-Hellman
Diffie-Hellman is a key exchange method which allows two parties to agree on a shared secret keey without any prior communication or shared private information
95
What is Diffie-Hellman vulnerable to
MiTM attacks where the attacker intercepts the communication and pretends to be one of the parties
96
What are Key Exchange Methods
Diffie-Hellman, RSA, ECDH, ECDSA
97
What is RSA
RSA uses the properties of large prime numbers to generate a shared secret key, relies on the fact it is easy to multiply large prime numbers but challenging to factor the result back into its prime factor
98
What does ECDH stand for
Elliptical Curve Diffie-Hellman
99
What does ECDSA stand for
Elliptic Curve Digital Signature Algorithm
100
What are examples of commonly used authentication protocols
TLS, SSL, OAuth, HTTPS, 2FA
101
What does WEP stand for
Wired Equivalent Privacy
102
What does WPA stand for
WiFi Protection Access
103
What are security features on a WiFi connection
Encryption, Access Control and Firewalls
104
What does WPA do
WPA provides the highest level of security by using a secure authentication method such as a pre-shared key
105
What is LEAP and PEAP
They are authentication protocols used to secure wireless networks to provide a secure method for authenticating devices and are used in conjunction with WEP/WPA
106
What does LEAP stand for
Lightweight Extensible Authentication Protocol
107
What does PEAP stand for
Protected Extensible Authentication Protocol
108
Which is more secure, LEAP or PEAP and why
PEAP is more secure as it uses a secure authentication method called TLS, whereas LEAP uses a shared key for authentication, which makes it easy to gain access if the key is compromised
109
What is a Disassociation Attack
It is a wireless network attack that disrupts communication between a WAP and clients by sending disassociation frames causing the client to disconnect from the network
110
What is IPSec
IPSec is a network security protocol providing encryption and authentication for internet communications, encrypts the dta payload of each IP packet and adding an authentication header (AH) which is used to verify the authenticity of the packet
111
What two security protocols does IPSec use
Authentication Header and Encapsulating Security Protocol (ESP)
112
What is ESP
Provides encryption and optiinal authentication for IP packets, it encrypts the data payload of each packet
113
Internet Key Exchange (IKE) Port
UDP 500
114
UDP 500
Internet Key Exchange (IKE)
115
What is SSL
SSL is a cryptographic protocol designed to provide secure communication over a computer network, it was the predecessor of TLS
116
Which is more secure SSL 3.0 or TLS 1.0
TLS 1.0
117
What is the standard protocol for securing communications
TLS
118
What is PGP
PGP is an encryption program that provides cryptographic privacy and authentication for data communication
119
What is PGP often used for
PGP is often used to secure emails and files encrypting them, ensuring only the intended recipient can read the contents
120
What is TKIP
TKIP is a security protocol used in wireless networks and was designed as a temporary solution to improve security on existing hardware that initially only supported weaker WEP encryption
121
What does TKIP stand for
Temporal Key Integrity Protocol
122
Where does TKIP rank amongst WEP and WPA
TKIP was an improvement over WEP but still not as secure as the later WPA2 which uses AES encryption
123
What encryption does WPA2 use
AES
124
Why was WEP depracated
WEP was depracated due to weak encryption, WEP's use of RC4 cipher and poor implementation of key management makes it susceptible to a variety of attacks
125
What information can we find in a WHOIS query
Domain name, registrar, registrant contact, administrative contact, technical contact, creation/expiration dates, name servers, etc.
126
What is a whois query
It is like a phonebook for the internet
127
What tool can be make to query DNS information
dig
128
What does dig stand for
Domain Information Groper
129
What is DNS
DNS is like the internet's GPS system, guiding your journey resolving domain names to precise IP addresses
130
What is a DNS zone
A zone is a distinct part of the domain namespace that a specific entity manages, e.g: example.com and all its subdomains would belong to the same DNS zone
131
What is a DNS Zone Transfer
A DNS Zone Transfer is a blueprint of all DNS records within a zone which is used to recreate in the same formatting from one name server to another
132
What is a DNS Zone Transfer vulnerability
If not properly secured, the Zone Transfer file can be downloaded, revealing a complete list of subdomains, their associated IP addresses and other sensitive DNS data
133
How to check for a DNS Zone Transfer vulnerability
dig axfr @
134
How to find the DNS server
dig ns
135
What is an A Record
It is a mapping to an IPv4 Address
136
What is an AAAA Record
It is a mapping to an IPv6 Address
137
What is a CNAME
Canonical Name, it creates an alias for a hostname, pointing it to another hostname
138
What is an MX Record
Mail Exchange Record, specifies the mail server(s) responsible for handling emails for the domain
139
What is an NS Record
Name Server Record, delegates a DNS Zone to a specific authoritative name server
140
What is a TXT Record
Text Record, stores arbitrary text information, often used for security policies and domain ownership verification
141
What is a PTR Record
Pointer Record, Used for reverse DNS lookups, mapping and IP address to a hostname
142
What is a SOA Record
Start of Authority Record, specifies administrative information about a DNS zone, including primary name server, responsible person's email and other parameters
143
What are Search Operators for Google Dorking
site: , inurl:, filetype:
144
How can we find a specific extension with Google Dorks
Site:example.com ext.conf
145
What is Telnet?
Telnet is a protocol used for accessing remote devices over TCP/IP networks, allowing a user to login to another computer remotely, providing a CLI to manage and control the remote device
146
What port is Telnet on?
Port 23
147
What is Port 23
Telnet
148
Name two vulnerablities in Telnet
Lack of encryption and weak authentication
149
What is the lack of encryption in Telnet
Telnet transmits all data including usernames and passwords in plaintext
150
What is the weak authentication in Telnet
Telnet often lacks from strong authentication mechanisms, making it easier for attackers to gain unauthorised access
151
What is a common Web based protocol
HTTP/HTTPS
152
What is HTTP/HTTPS used for
HTTP/HTTPS is a method used for transport of information between a client (such as a browser) and a web server
153
What port does HTTP listen on
Port 80
154
What port does HTTPS listen on
Port 443
155
What is port 80
HTTP
156
What is port 443
HTTPS
157
What are two vulnerablities on HTTP/HTTPS
HTTP lacks encryption and HTTPS is still vulnerable if using older SSL/TLS protocols
158
What is the HTTP vulnerability
All data is sent over plaintext as HTTP does not use encryption
159
What is the HTTP S vulnerablity
If the web server is configured to use old SSL/TLS protocols such as TLS 1.0, 1.1, 1.2 they could be vulnerable to decryption of data due to various known vulnerabilities
160
What is Secure Shell (SSH)
SSH is a cryptographic network protocol used for secure remote login, replacing older protocols like Telnet
161
What port does SSH listen on
Port 22
162
What is Port 22
SSH
163
What are two vulnerabilities with SSH
Brute force attacks and credential theft
164
What is the brute force attack vulnerability in SSH
Attackers can try many username/password combinations
165
What is the credential theft vulnerability in SSH
If SSH keys or passwords are compromised, an attacker can gain unauthorised access to a system
166
What is SNMP
SNMP (Simple Network Management Protocol) is used for managing devices on IP networks, such as routers, switches and servers. It enables monitoring and control of these devices
167
What does SNMP stand for
Simple Network Management Protocol
168
What port does SNMP listen on
UDP Port 161
169
What are two vulnerabilities with SNMP
Lack of encryption and unauthorised access
170
What is the lack of encryption in SNMP
SNMP v1 and v2c do not provide encryption, making the traffic vulnerable to interception
171
What is the unauthorised access vulnerablitiy in SNMP
If SNMP community strings (password) are known or guessed, an attacker can retrieve/alter configuration data. SNMP also utilises default community strings which if not changed are "public" and "private"
172
What is TFTP
TFTP is primarily used to transfer files to and from network devices
173
What does TFTP stand for
Trivial File Transfer Protocol
174
What port does TFTP listen on
UDP Port 69
175
What are two vulnerabilities with TFTP
No authentication and no encryption on transfers
176
What is the no authentication vulnerability on TFTP
TFTP does not provide any form of authentication making it vulenrable to unauthorised file access and transfers
177
What is the no encryption on transfers vulnerability in TFTP
TFTP transfers files in plaintext, allowing attackers to intercept or tamper with the data
178
What is Cisco Reverse Telnet
Cisco Reverse Telnet allows a network device to initiate a Telnet session to another device often used for managing out of-band network devices via serial connection
179
What port does Cisco Reverse Telnet listen on
Port 2000 anf above (Port = 2000 + line number)
180
What are two vulnerabilities in Cisco Reverse Telnet
Lack of encryption and credential exposure
181
What is the lack of encryption vulnerability in Cisco Reverse Telnet
Like regular Telnet, Reverse Telnet lacks encryption making it vulnerable to eavesdropping and interception
182
What is the credential exposure vulnerability in Cisco Reverse Telnet
Since authentication is done over plaintext, credentils can easily be intercepted and reused by attackers
183
What is NTP
NTP is used to synchronise the clocks of networked devices to ensure all devices have the same correct time
184
What port does NTP listen on
UDP Port 123
185
What doe NTP stand for
Network Time Protocol
186
What are two vulnerabilities in NTP
Time manipulation and NTP amplification attacks
187
What is the time manipulation vulnerability in NTP
If an attacker can alter the time provided by the NTP server, this can have significant consequences such as disrupting scheduled tasks or invalidating certificates
188
What is the NTP amplification attack
Where small queries result in large responses, which can be directed towards a target to create DDoS attack
189
TACACS+ Port
TCP Port 49
190
TCP Port 49
TACACS+
191
What does ARP stand for
Address Resolution Protocol
192
What does ARP do
ARP is used to map IP Addresses to MAC addresses on a local network. When a device wants to communicate with another device on the same network it uses ARP to find the MAC Address for the corresponding target device's IP Address
193
What vulnerabilities is ARP subject to
ARP Spoofing/Poisoning and MiTM attacks
194
What is ARP Spoofing/Poisoning
An attacker can send forged ARP messages onto the network, associating their own MAC Address with the IP of another device, allowing the attacker to intercept traffic
195
What does DHCP stand for
Dynamic Host Configuration Protocol
196
What port does DHCP listen on
UDP Port 67 and 68
197
What does DHCP do
DHCP automatically assigns IP addresses and other network configurations to devices on the network
198
What are vulnerabilities DHCP is subject to
Rogue DHCP servers and DHCP starvation attacks
199
What is a DHCP starvation attack
When an attacker can exhaust the pool of IP addresses available by rapidly requesting IP addresses, effectively denying new devices from obtaining a valid IP address
200
What is a rogue DHCP server
When an attacker can setup a rogue DHCP server on the network which can assign incorrect IP configurations to devices, leading them to use the attacker's server as the default gateway
201
What is CDP
CDP is a proprietary protocol used by Cisco devices to share information about otehr directly connected Cisco devices
202
What does CDP stand for
Cisco Discovery Protocol
203
What vulnerabilities is CDP subject to
Information disclosure and CDP spoofing
204
What is CDP Spoofing
Attackers can send fake CDP messages to trick devices into believing they are connected to different devices, potentially disrupting network operations
205
What is information disclosure CDP is subject to
Since CDP broadcasts detail information about the device, an attacker on the same network segment can capture this data and gain insights into the network's structure and configuration
206
What does HSRP stand for
Hot Standby Router Protocol
207
What does HSRP do
HSRP is a Cisco protocol to provide high availability by allowing two or more routers to work together to present the appearnce of a single virtual router to the hosts of the network
208
What port does HSRP listen on
UDP Port 1985
209
UDP Port 1985
HSRP
210
UDP Port 67 and 68
DHCP
211
What are vulnerabilities HSRP is subject to
Lack of authentication and HSRP Spoofing
212
What is the lack of authentication vulnerability HSRP is subject to
Older implementations of HSRP do not include strong authentication mechanisms making it easier for attackers to inject rogue HSRP messages
213
What is HSRP Spoofing
HSRP Spoofing is when an attacker can send crafted HSRP messages to take over the active router role, leading to traffic being directed through a malicious router
214
What is VRRP
VTP is siilar to HSRP but is a standards-based protocol that provides high availability to routers by creating a virtual router as a backup for a group of physical routers
215
What does VRRP stand for
Virtual Router Redundancy Protocol
216
What are vulnerabilities VRPP is subject to
Weak authentication and VRRP spoofing
217
What is VRRP spoofing
VRRP spoofing is when an attacker can send spoofed VRRP messages to become the master router thereby interceepting or disrupting network traffic
218
What is weak authentication in VRRP
Without strong authentication, VRRP messages can be easily spoofed allowing an attacker to manipulate the redundancy protocol
219
What does VTP stand for
VLAN Trunking Protocol
220
What is VTP
VTP is a Cisco proprietary protocol that propagates VLAN information within a switched network, simplifying VLAN management by allowing VLAN configurations to be made on one switch and automatically propagated to other switched in the network
221
What are VTP vulnerabilities
VLAN trunking issues and VTP Manipulation
222
What are VLAN trunking issues
Misconfigurations or malicious reconfigurations of VTP can cause devices to be placed on unintended VLANs potentially exposing sensitive data
223
What is VTP Manipulation
When an attacker can configure a rogue switch with a higher VTP revision number causing other switches to adopt the attackers VLAN configuration
224
What does STP stand for
Spanning Tree Protocol
225
What does STP do
STP ensures a loop-free topology by Ethernet networks by managing redundant links, it prevents network loops by placing certain ports in a blocking state
226
What are vulnerabilities STP is subject to
STP Manipulation and Denial of Service
227
What is DoS that STP is subject to
By floodign the network with BPDUs an attacker can cause network instability, resulting in performance degradation ofr denial of service
228
What is STP Manipulation
An attacker can send fake Bridge Protocol Data Units (BPDUs) to manipulate the STP topology, potentially becoming the root bridge, causing traffic to flow through the attacker's device
229
What is TACACS+
TACACS+ is a protocol used to authenticate and authorise users accessing network devices such as routers and switches
230
What does TACACS+ stand for
Terminal Access Controller Access-Control System Plus
231
Name two ways to enumerate devices running IPSec services
An nmap scan, first a UDP scan with flags -sU and -p and then a Protocol scan with flags -sO and --protocol, or through banner grabbing although typically IPSec services don't return verbose banners, attempting to connect to the service might reveal some information
232
How can we fingerprint IPSec Services
Tools like ike-scan can fingerprint through crafted IKE requests to identify the vendor and version of the IPSec implementation
233
What is VoIP
VoIP is a technology that allows voice communication and multimedia sessions over IP networks such as the internet
234
What does VoIP stand for
Voice over Internet Protocol
235
What are two common VoIP protocols
SIP and RTP
236
What does SIP stand for
Session Initiated Protocol
237
What does RTP stand for
Real-Time Transport Protocol
238
What does RTP do
Handles the data transmission and transport of VoIP calls
239
What does SIP do
Used to initiate, maintain and terminate voice and video calls
240
How can we enumerate a VoIP Service
Using an nmap scan on common VoIP ports
241
SIP Port
Port 5060
242
Port 5060
SIP Port
243
How can we fingerprint VoIP Services
By analysing SIP headers such as User-Agent, we can often determine the software version and vendor of the SIP server, additionally tools like sipfinger can automate this process by sending SIP requests and analysing the responses
244
What is the SIP Protocol
SIP is one of the most widely used protocols for managing multimedia communication sessions, including voice and video calls
245
What is SIP communication similar to and how
SIP communications are similar to HTTP as they both rely on request/response transactions
246
What are common SIP request methods
INVITE, ACK, BYE, REGISTER and CANCEL
247
What is SIP - INVITE
Initiates a call
248
What is SIP - ACK
Confirms that the client has received a final response to an INVITE request
249
What is SIP - BYE
Terminates a call
250
What is SIP - REGISTER
Registers the user's location (i.e their IP address) with a SIP server
251
What is SIP - CANCEL
Cancels a pending request
252
What are SIP security issues
Eavesdropping and Registration Hijacking
253
What is eavesdropping in SIP
Without encryption, SIP signalling can be intercepted by an attacker allowing attackers to listen in on calls
254
What is registration hijacking in SIP
An attacker can impersonate a legitimate user by hijacking their SIP registration, enabling them to receive calls intended for the user
255
How can we enumerate devices running Wireless services
airodump-ng can capture requests made by devices actively searching for networks, additionally Wireshark and Kismet can be used to scan for available wireless networks, list SSID's and identify Access Points
256
How can we fingerprint Wireless services
Through 802.11 frame analysis tools like Wireshark and tshark, which can be used for capturing and analysing wireless frames
257
What is an SSID
An SSID is a unqiue name that identifies a specific wireless network, it is broadcast by the Access Point to help devices discover and connect to the network
258
What is the maximum length of an SSID
32 characters in length
259
What does SSID stand for
Service Set Identifier
260
What is Active Directory
Active Directory is a centralised management service for resources including users, computers, groups, network devices, file shares, group policies, etc.
261
What is AD "essentially"
AD is essentially a read-only database accessible to all users within the domain, regardless of their privilege
262
Wht is a Forest
A Forest is the top-level container which holds one or more domains, it represents the entire AD environment, where all domains share a common schema and global catalog
263
What is at the top of the AD hierarchy
Forest
264
What is a domain in AD
A domain is a structure within which container objects (users, groups, computers) are accessible
265
What is an Object in AD
An object can be defined as ANY resource present within an Active Directory such as users, computers, OU's, etc.
266
What are attributes in AD
Every object has an associated set of attributes used to define characteristics of the given object.
267
Give example attributes of a user object
firstName, fullName, email, username, password
268
What can we think of domains in AD as
We can think of domains in AD like different states or countries
269
What can we think of Forest like in AD
A Forest is like the US, and the domains are all the states inside of the US
270
What is MSBROWSE
MSBROWSE is a Microsoft protocol that was used to maintain a list of resources such as shared printers and files that were available on the network
271
What superceded MSBROWSE
SMB
272
How to find the Master Browser
nbtstat -A
273
What is a Global Catalog
A Global Catalogue is a domain controller that stores copies of ALL objects in an AD Forest. The GC allows both users and applications to find information about any object in ANY domain in the forest
274
What are the five roles of the FSMO
Schema Master, Domain Naming Master, Relative ID Master, Primary Domain Controller Emulator, Infrastructure Master
275
What does FSMO stand for
Flexible Single Master Operations
276
What are the two groups of FSMO roles and what separates them
Forest-wide and Domain-wide, Forest-wide roles are for the entire forest but domain-wide is for each domain
277
What are the Forest-wide FSMO roles
Schema Master and Domain Naming Master
278
What are the domain-wide FSMO roles
Relative ID Master, Primary Domain Controller Emulator, Infrastructure Master
279
How do the FSMO roles work in terms of delegation
All 5 FSMO roles are assigned to the first DC in the forest root domain, each time a new domain is added to a forest, the first DC in that domain also gets the RID Master, PDC Emulator and Infrastructure Master roles assigned
280
What are leaf objects in AD
When they do not or can not contain other objects
281
Why is DNS important for AD
AD DS uses DNS to alow clients (workstations, servers) to locate the Domain Controller and for Domain Controllers that host the directory service to communicate amongst each other
282
What does AD DS stand for
Active Directory Domain Services
283
How do DNS resolutions work in AD
The AD uses DNS to find the IP address of the DC through an SRV record,
284
What does LDAP stand for
Lightweight Directory Access Protocol
285
What is LDAP
LDAP is a protocol used for authentication against various directory services such as AD
286
What specified LDAP
RFC 4511
287
What is LDAP essentially
LDAP is the language that applications use to communicate with other servers that provide directory services, similar to a user interacting with an SQL DB through SQL queries
288
What cryptographic technique is used for NTLM, NTLMv1 and NTLMv2
Symmetric key cryptography
289
What cryptographic technique is used for Kerberos
Symmetric key cryptography & asymmetric cryptography
290
What message type (encryption) is used for NTLMv1 and NTLMv2
MD4 hash, random number
291
What message type (encryption) is used for Kerberos
Encrypted ticket using DES, MD5
292
What does LANMAN stand for
LAN Manager
293
What does LANMAN do
LANMAN is the oldest hash storage mechanism used by the Windows OS
294
Where are LANMAN hashes stored
In the SAM database and in the NTDS.DIT database on the Domain Controller
295
What is the AD Database file
NTDS.dit
296
Why was LANMAN vulnerable and not in use anymore
Passwords were limited to 14 characters and converted to upper case before hashing, then also split into two 7 character blocks making it easier to crack
297
What is NTMLv1
NTLMv1 performs a challenge/response between a server and a client using the NTLM hash which is used for network authentication
298
What are the merits of NTLMv1
Improved security by using MD4 hashing and avoids splitting password into 7 char chunks, also is not vulnerable to PtH attacks
299
Why was NTLMv2 created and why is it better than NTLMv1
Is a protocol that was created as a stronger alternative to v1, it is hardened against spoofing attacks that v1 is susceptible to
300
What is the process of NTLMv2
NTLMv2 sends to responses to the 8-byte challenge, first containing a 16-byte HMAC-MD5 hash of the challenge, randomly generated challenge from the client and a HMAC-MD5 of the user credentials, followed by a second response using a client challenge including the current time 8-byte random value and domain name
301
Merits of NTLMv2
Much stronger security using HMAC-MD5 and make it more resistant to brute-force attacks and is also compatible with legacy systems
302
How many hashes does Cached Credentials store
Last 10
303
What is AD Group Policy
An AD feasture that provides admins with advanced settings they can apply to both user and computer accounts in a Windows environment
304
What are some things that can be configured using Group Policy
Policies such as screen lock timeouts, disabling USB ports, encforcing custom domain password policies, installed software, managing applications, etc.
305
What is a GPO
It is a virtual collection of Group Policy settings that can be applied o user(s) or computer(s)
306
What does GPO stand for
Group Policy Object
307
What is Local Security Policy
It is a set of security-related Group Policy settings that are applied to a single computer (not whole OU's)
308
What file manages the Local Security Policy
gpedit.msc
309
What is the GPO order of precedence
In order; Local Security Policy, Site Policy, Domain Policy, Parent OU policy, Child OU policy
310
What is the name of the default Group Policy
Default Domain Policy
311
When is the Default Domain Policy used
It is used when there is no other Group Policies applied to an object,
312
What is a Rainbow Table Attack
It is a pre-computed table of hashes and their corresponding plaintext password which is a much faster method than brute-force attack
313
What is the Rainbow Table Attack's limitations
Method is limited by the rainbow table size, bigger the table the more passwords and hashes it can store
314
What is the Definition and Enforcement of a Password Policy
Definition: A guideline on what the password policy requires - Enforcement: The technology used to make sure users comply with the password policy
315
What is a Password Policy
A set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them based on the company's definition
316
What are common password policy standards
CIS Password Policy Guide, PCI DSS
317
What is a sample password policy
Min. 8 characters, must include uppercase and lowercase letters, must include symbols and numbers, it should not be the username
318
How can we attack SAM
We can dump files with hashes and proceed to crack them
319
What are the three files that store hashes
hklm\sam, hklm\system, hklm\security
320
What does hkln\sam contain
Contains the hashes associated with local account passwords, we will need the hashes to crack them and get the user password in plaintext
321
What does hklm\system store
Contains the system bootkey, which is used to encrypt the SAM database
322
What does hklm\security store
Contains cached credentials (last 10) for domain accounts
323
How can we hunt for plaintext credentials
If we have a GUI, we can use built-in search functions like Windows Search to search terms related to passwords
324
What are keywords we can use to search for plaintext passwords
Passwords, Usernames, Pwd, Passkey, Credentials
325
What is HTML Source Review
Sift through HTML source code to look for interesting data
326
What can we gather from web mark-up
Hidden form fields, database connection strings, credentials developers may have left, developer comments, etc.
327
How to download a HTML site
wget -r -m -nv
328
What is MySQL
MySQL is an open-source relational database management system developed and supported by Oracle
329
What is the MySQL file ext
MySQL databases are often stored in a single file with the extension .sql (e.g: wordpress.sql)
330
What is MariaDB
MariaDB is a fork of the original MySQL aas the chief developer of MySQL left and created MariaDB
331
What Port does MySQL run on
TCP Port 3306
332
TCP Port 3306
MySQL
333
How to see MySQL version
select version();
334
What is MSSQL
MSSQL is a Window's SQL-based RDMS that was written to run on Windows OS due to its strong native support for Microsoft's .NET framework, therefore it is most often found on Window's hosts
335
What is the authentication mechanism for MSSQL if authentication is set to Windows Authentication
It will be processed through the local SAM database or the hosting Active Directory
336
What is the issue with Active Directory for MSSQL auth
If the account is compromised, it could lead to privilege escalation and lateral movement across a Windows domain environment
337
What is SSMS
SSMS comes as a feature that can be installed with MSSQL or separately, it allows for initial configuration of a database but also long-term management by admins
338
What does SSMS stand for
SQL Server Management Studio
339
How to fiend the SSMS MSSQL client
locate mssqlclient
340
MSSQL Port
Port 1433
341
Port 1433
MSSQL
342
What does nmap have for MSSQL
Nmap has a default MSSQL scan
343
What are MSSQL Attack Vectors
Dangerous settings, default nmap MSSQL scans, Metasploit scans, can connect via mssqlclient.py
344
What are dangerous settings in MSSQL
MSSQL clients not using encryption to connect as it is not forced, use of self-signed certificates which can be spoofed, weak and default sa credentials which admins may have forgotten to disable
345
What is Oracle TNS
Oracle TNS is a communication protocol that facilitates communication between Oracle databases and applications over networks
346
What does Oracle TNS stand for
Oracle Transparent Network Substrate
347
Why is Oracle TNS considered safe and secure
Oracle TNS is considered safe and secure as it has built-in encryption mechanisms ensuring the security of data transmitted
348
What port does Oracle TNS listen on
TCP Port 1521
349
TCP Port 1521
Oracle TNS
350
Which versions can Oracle TNS be remotely managed
Oracle 8i/9i but not Oracle 10g/11g
351
What is the combination used for basic authentication of TNS Listener
Hostname, IP Address, Username, Password
352
What are the two configuration file names of Oracle TNS
tnsnames.ora and listener.ora
353
What is the default Oracle 9 password
CHANGE_ON_INSTALL
354
What is the default Oracle 10 password
There is no default password for Oracle 10
355
What is the default Oracle DBSNMP password
dbsnmp
356
What is MSSQL port in hidden mode
2433
357
Port 2433
MSSQL in hidden mode
